Sign In
Search Icon
Menu Icon

Appendix J: Communications Plan - Template

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide


This appendix is provided to help health care organizations develop an effective and efficient communications plan and intent is to ensure proper facilitation amongst multiple stakeholders, e.g., the board of directors, executive leadership, business units, and technical staff.  


This Communications Plan provides communications strategies, core messages, and performance measures organizations can use for their cybersecurity awareness, implementation, and continual service improvement.


There are six objectives for a health care organization’s communications around information security.

  1. Ensure accurate, cohesive, and frequent messages are delivered in plain language to audience segments.
  2. Develop awareness of cybersecurity efforts and encourage active participation and show the benefits (corporate, organizational, and employee) – and demonstrate the value of cybersecurity.
  3. Identify the tools available to communicate to all audiences, develop a schedule for communications, and define specific guidelines for submitting content.
  4. Provide management information necessary to support effective communications.
  5. Ensure that resources provide effective information on training, current progress of the Initiative, and best practices to promote improved quality service management.
  6. Provide feedback on the level of customer satisfaction, suggested corrective and preventive actions, lessons learned, security incidents response, and specific ideas for improving the quality of service.

Roles and Responsibilities

Table 13 provides the responsibilities for two principal roles in communications.

Table 13. Roles and Responsibilities
Role Responsibilities

Chief Information Officer 


  • Serves as the Information Security champion
  • Updates the Executive Leadership Team and Board of Directors, as needed 
  • Demonstrates a commitment to and strong support for Information Security initiatives 
  • Acts as an advocate for standardized policies, processes, and procedures
  • Resolves and escalates Information Security issues as appropriate
  • Approves and manages Information Security program resources
Chief Information Security Officer

  • Manages the Information Security Program
  • Leads information security initiatives
  • Establishes standards, templates, workflows, processes, policies, and procedures
  • Validates compliance with regulatory and legal requirements for information security
  • Develops the communications plan for information security initiatives
  • Determines appropriate internal and external communications and helps facilitate those communications
  • Communicates the availability of artifacts, training, and guidelines required for secure quality service delivery
  • Makes sure all communications are accurate and timely, and delivers messages in plain language to targeted audiences using appropriate media


To effectively communicate the Information Security Program and its initiatives, it is important to tailor the messages to the appropriate audiences (all involved parties), which includes the Leadership Team, vendors, suppliers, and customers.

The information required by these audiences will vary in focus and level of detail. The Security Officer must consider each audience's unique interests and perspectives on issues when developing communications.

There are four phases to achieving effective communications dealing with the rollout and acceptance of information security initiatives.

  1. Develop interest and awareness
  2. Educate audiences on the value of having a security framework.
  3. Create a desire to adopt quality service management methodologies, processes, and frameworks and actively participate in the security activities
  4. Institutionalize the need for standardized policies, processes, procedures, and measures to improve service delivery and customer satisfaction

Communication Phases of Implementation

For communication to be effective, it must satisfy the specific needs of all involved parties and the target audience(s) in particular. As individual or group needs vary over time, so must the communications. The 'Initiative Phases' outlined above represent stages when fundamental changes in perception occur for some or all stakeholder groups. 'Communication Phases' directly relate to these Initiative Phases. 

Table 14 summarizes the areas of concern or interest during each of the Communications Phases, and lists the communication goals for each phase.

Table 14. Phased Communication Goals
Phase Anticipated Areas of Concern or Interest
Communication Goals
1. Planning and Preparation
  • Unclear about the implications of the security Initiatives
  • Unaware of the standards and their benefits
  • Confused as to role in effort and level of change
  • Concern regarding impact to the organization and initiatives (cost, schedule, and time)
  • Concern about how changes will impact their work and ability to successfully carry out their assigned tasks
  • Uncertain about the anticipated changes in business policies, processes, and procedures
  • Introduce security standards
  • Set expectations for what is to come
  • Seek and act on feedback from target audiences
  • Develop communication vehicles
  • Communicate management commitment
  • Communicate vision for the future
  • Define parameters of change and initiative scope
  • Articulate timeline and activities
  • State compelling reasons for initiative
  • Enlist support and participation
  • Identify and empower champions
  • Share Initiative progress
2. Implementation
  • Realization of the impact of security activities on resources and timelines
  • Staff concern over personal impact
  • Uncertain of new skill requirements
  • Rising negativity due to changes and work required to meet Initiative objectives
  • Need for details about ISMS and what it means for their domain
  • Concern over impacts of security on operations
  • Availability and effectiveness of training
  • Share initiative progress
  • Set the expectation for work ahead
  • Provide guidance and assistance for all initiative activities
  • Seek and act on feedback from target audiences
  • Motivate towards the end goal
  • Reinforce benefits including access to additional business and personal opportunities
  • Outline phased approach and progress milestones
  • Recognize champions
  • Celebrate the current successes
  • Provide more detail on what change will mean to the different target audiences
  • Provide updates on constraints and accomplishments
  • Emphasize available training and support
3. Validation
  • Impatient about the outcome
  • Apprehensive because things are not perfect the first time
  • Learning new skills
  • Recognition of personal benefits
  • Business benefits understood
  • Fear of business and personal impact
  • Apprehensive regarding customer acceptance of changes
  • Anxiety over internal and external assessment and assessment requirements
  • Relief when “it works” as perceived following initial assessments
  • Share Initiative progress
  • Set realistic expectations for change
  • Focus on successes
  • Continue to communicate timeline
  • Assess preparedness
  • Provide training on the tools and methodologies that will be used
  • Familiarize target audiences with assessment process and expectations
  • Reinforce training and support availability
  • Share lessons learned
  • Seek and act on feedback from target audiences
  • Celebrate milestones
4. Continual Service Improvement
  • Apprehensive over continuous assessment of work and work products
  • Impatience regarding continual service improvement activities
  • Communicate individual contribution to the quality service management
  • Communicate successes including increased business opportunities and customer satisfaction
  • Seek and act on feedback from target audiences
  • Solicit input regarding service improvement and lessons learned
  • Share lessons learned
  • Re-emphasize benefits, training, and access to guidance and assistance to facilitate service improvement and “maintaining the gain”

Core Messages and Vehicles

The core message concepts are reinforced with targeted audiences through selected communication activities and vehicles. Core messages are tailored to the audience's role in a successful implementation of security and support ongoing change management objectives. Core messages will be planned for the following targeted audiences:

  • Leadership Team
  • Customers/Contractors and Suppliers

It is important to communicate core messages through multiple vehicles (tactics) and channels. Vehicles are selected based upon:

  • Availability of vehicle
  • How effective the vehicle is at reaching audiences?
  • The appeal it has to a variety of learning styles
  • Individual audience preference

A variety of written and visual communication vehicles, such as newsletters and announcements, e-mails, surveys, and bulletins, plus more personal, two-way vehicles, such as meetings and briefings to various groups, should be included. A mechanism allowing the audience to ask questions and receive feedback is critical for the security Initiatives.

The following are important guidelines for communications:

  • Consistent messaging is always important, especially with a new initiative
  • Communications must be ongoing once a new initiative begins
  • Recognize that all audiences do not require the same level of detail when receiving the same information

Core Messages for All Audiences

Communicate to all audiences, the following core messages:

  • Demonstrate organization’s commitment to security using a Charter
  • Develop interest and awareness in security and the framework selected to achieve it.
  • Educate audiences on the value of security; describe the benefits to the organization and the individual
  • Create a desire to adopt secure quality service management methodologies, processes, and frameworks, and actively participate in the security Initiative
  • Institutionalize the need for standardized policies, processes, procedures, and measures to improve service delivery and customer satisfaction
  • Explain what to do if questions arise regarding security framework, its implementation, rollout, and continual service improvement

Core Messages for Leadership Team

The core messages for these audiences focus on team communication and communications with other organizations and individuals involved or interested in security:

  • Notify audiences of activities, schedule, progress, successes, artifacts, and events
  • Keep team members up to date on all team activities or activities in related programs or initiatives
  • Share new ideas, articles, and materials related to quality service management and information security
  • Review and communicate lessons learned
  • Record and review feedback from customers and all involved in or interested in security initiatives
  • Emphasize the importance of information security initiatives, training, and awareness
  • Detail methods for creating a desire to adopt secure quality service management methodologies, processes and frameworks, and actively participate in the security Initiatives
  • Reinforce the need to institutionalize standardized policies, processes, procedures, and measures/metrics to improve service delivery and customer satisfaction
  • Stress the significance of open communication and matching the communication to the appropriate audience and vehicle

Core Messages for Vendors, Suppliers, and Customers

Communicate to vendors, suppliers, and customers the following core messages:

  • Announce the results of any information security assessments when applicable
  • Describe customer benefits and the value of information security by outlining the service improvement and customer focused aspects of relevant information security standards
  • Offer options for finding more information about information security and the Information Security Program

Vehicle Selection

A wide range of communications methods or vehicles are available to get information to those who need it, as shown in Table 15. While every vehicle can convey information, some vehicles have greater strengths than others depending on the type of information used.

Table 15. Vehicle Selection
Type of Communication Possible Vehicle

Internal or external Corporate communications
Sensitive or restricted material
Email, meeting, one-on-one, paper 
Urgent, time critical
Email, meeting, one-on-one
Must reach recipient, a large, targeted audience, and/or be easily understood
Email, paper
Requires dialogue; complex or easily misunderstood
Meeting, conference call, one-on-one
Requires feedback or reply
Email, meeting, teleconference, survey
Large amount of content
SharePoint, Skype Meeting
Includes special formats
SharePoint, video teleconference, conference call 
Large unspecified audience; brief message
SharePoint, survey, email
Team centered
Conference Calls, email, meeting, teleconference, video conference, one-on-one, paper

Table 16 summarizes the communication tactics that can be used to deliver core messages to targeted audiences, and include the purpose/content of the communications, the intended audience, the timing and frequency of communications, the intended strategy, and responsible party.

Calendar of Events

The tactics listed in this Communication Plan are recommended for all Communications Phases from Planning and Preparation through Continual Service Improvement. This plan is intended to guide the communication effort through the introduction, acceptance, and continual service improvement. It is recommended that a calendar is developed with planned initiatives identified. This will ensure information regarding events will be reviewed and updated periodically.

<< Back                                                                                                      Next >>

CIP Right-Nav